chore(zeppelin-web-angular): remediate npm audit findings in zeppelin-react#5257
chore(zeppelin-web-angular): remediate npm audit findings in zeppelin-react#5257jongyoul wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the zeppelin-react frontend audit flow to remediate current npm audit failures while allowing known @antv malware false-positive advisories to be filtered.
Changes:
- Upgrades
webpack-dev-serverto5.2.4. - Adds
audit-filter.jsto run and filter npm audit JSON output. - Updates the frontend CI workflow to use the custom audit filter.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
zeppelin-web-angular/projects/zeppelin-react/package.json |
Updates the webpack-dev-server dev dependency range. |
zeppelin-web-angular/projects/zeppelin-react/package-lock.json |
Locks webpack-dev-server to 5.2.4. |
zeppelin-web-angular/projects/zeppelin-react/audit-filter.js |
Adds custom npm audit filtering for selected advisories. |
.github/workflows/frontend.yml |
Runs the new audit filter in the zeppelin-react audit job. |
Files not reviewed (1)
- zeppelin-web-angular/projects/zeppelin-react/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
….js to fix npm audit
jongyoul
force-pushed
the
fix-npm-audit-issues
branch
from
db5a970 to
fd888bf
Compare
|
@tbonelee @ParkGyeongTae @voidmatcha I heard that @AntV had a security issue, so it's been fully deprecated. So npm-audit failed, so I removed them and used the vanilla one. Could you please check it? |
There was a problem hiding this comment.
- npm audit on master: 21 advisories (10 moderate / 5 high / 6 critical, incl. the @antv/adjust & @antv/color-util malware advisories)
- Diff review: no new dangerouslySetInnerHTML / eval / dynamic Function introduced, and chart labels/data are drawn on a 2D canvas context. So the migration doesn't add any XSS surface.
LGTM from a supply-chain perspective.
| labels: data.map(d => d.category), | ||
| datasets: [{ | ||
| label: 'Value', | ||
| data: data.map(d => data.value), |
There was a problem hiding this comment.
| data: data.map(d => data.value), | |
| data: data.map(d => d.value), |
Original(master)
As-Is
To-Be
The callback references the outer data array instead of the element d, so data.value is undefined for every row and the Area Chart renders empty.
What is this PR for?
This PR remediates
npm auditfailures in thezeppelin-reactmodule (zeppelin-web-angular/projects/zeppelin-react) onmaster.What changes are proposed?
webpack-dev-server: Updatedwebpack-dev-serverto^5.2.4inpackage.jsonto resolve the moderateuuidandwebpack-dev-servervulnerabilities.audit-filter.js: Created a custom audit filtering script to handle the@antv/color-utiland@antv/adjustmalware false-positives (GHSA-rh6v-hwr4-6jcp / GHSA-qcp2-qp9h-qprg). Npm marked all versions of these packages as malware, causing all audit runs to fail even though the pinned versions in Zeppelin were published years before the compromise. This script filters out those specific advisories while still validating other high/critical security issues..github/workflows/frontend.ymlto run the customaudit-filter.jsinstead of the rawnpm auditcommand.How should this be tested?
Verify that the
npm-auditjob passes in GitHub Actions.